Insight Into theGlobal Threat Landscape

NETSCOUT Arbor's 13th Annual Worldwide Infrastructure Security Report

Key Findings

NETSCOUT Arbor produces this annual report based upon a survey that specifically includes individuals within the operational security community. Survey participation continues to grow despite additional efforts to encourage recusal of respondents without direct network or security operational experience.

Survey Respondents

45%Enterprise, Government + Education

55%Service Provider

We are continuing the trend toward a more balanced mix of SP and EGE organizations.

Multi-Vector Attacks

48%of EGE experienced multi-vector attacks.

Top DDoS Attack Motivations

Online Gaming

Criminals demonstrating attack capabilities

Extortion

EGE Internet Bandwidth

57%of EGE respondents saw their internet bandwidth saturated due to DDoS attacks, up from 42% in the previous year.

Service Provider

Service providers represent the majority of respondents, continuing the trend toward a more balanced mix of service providers and enterprise, government and education (EGE) organizations. DDoS attacks represent the dominant threat observed by the vast majority of service providers. Infrastructure outages also continue to be a threat with over half of operators experiencing this issue.

Targeted Customers

70%End-User/Subscriber

26%eCommerce

39%Cloud/Hosting

21%Gambling

37%Government

14%Manufacturing

41%Financial Services

10%Healthcare

32%Gaming

10%Energy/Utilities

29%Education

9%Law Enforcement

Organizational Security

60%of Service Providers have their own internal Security Operations Center (SOC) Team.

20%of Service Providers either fully or partially outsource SOC capabilities.

This highlights the global challenges organizations face to build and maintain an internal security team of skilled practitioners.

ATLAS ®

NETSCOUT Arbor’s Active Threat Level Analysis System (ATLAS) gathers statistics from Arbor SP deployments around the world. There are currently more than 400 networks participating in the ATLAS initiative. Statistics are shared hourly which include DDoS attack details, along with other traffc information.

Peak Attack Size Monitored By Atlas

641 Gbps

Targeted Countries

Top two countries being targeted by DDoS attacks.

United States

South Korea

Top two countries being targeted by DDoS attacks greater than 10 Gbps.

United States

Hong Kong

Largest Reflection/Amplification Attacks

641 GbpsLargest DNS Reflection/Amplification Attack

662 GbpsLargest NTP Reflection/Amplification Attack

ASERT ®

The year 2017 was one in which IoT bots became the preferred weapon of choice for launching DDoS attacks. The number of unsecured internet of things (IoT) devices that are connected to the internet every day continues to increase dramatically.

As the number of IoT devices increases, so do the security vulnerabilities. Attackers have invented new ways to detect, infect and compromise IoT devices, even those thought to be secure behind corporate firewalls.

IoT Devices

IHS Markit predicts the number of IoT devices will rise.

201727 billion Connected Devices

2030125 billion Connected Devices

Professional Malware Arms Dealer

In 2017, there were two highly visible cases of more advanced attacks requiring the use of professional malware arms dealers.

The Windows Mirai Trojanwas only active for 5 days but received multiple new updates in that time period.

The IoT Reaperhad the potential to infect millions of IoT Devices but was deliberately blocked from doing so by its authors.

DDoS Attack Trend

Looking at the number of DDoS incidents, and the appearances of new IoT malware in the 2016–2017 time frame, it becomes apparent that the attacker/incident economy is of cyclical nature.

Enterprise, Government + Education

Enterprise, Government + Education organizations faced an increasingly active and complex threat environment this year. Attackers focused on complexity, leveraging weaponization of IoT devices while shifting away from reliance on massive attack volume to achieve their goals. The results of the WISR survey, together with our ATLAS data, demonstrate why an integrated multi-layer defense from the data center to the cloud is required.

Organizational Security

The smaller security teams may be as a result of the reliance on outsourcing for SOC capabilities.

DNS Operators

Global DNS infrastructure provides the critical function of mapping the seemingly random sets of numbers in IP addresses (like 1.1.1.1) to a human-readable name that an internet consumer may recognize (like www.myfavoritestore.com). To scale to a global level, the DNS system was designed as a multi-level reference network that would allow any user on the internet to query a set of servers that will iteratively find where a specific domain is owned and get the name to IP address mapping from that location. This system based on trusting the legitimacy of these requests that this year’s WISR report demonstrates why DDoS attacks continue to be a major threat to the availability of the DNS network.

DNS Infrastructure

68%

of all respondents indicated that they operate a DNS infrastructure.

Slightly down from 74 percent in 2016, but in line with 2015.

Geography

Operating a DNS infrastructure is more common in North America and Europe than in Latin America, the Middle East, Africa, or Asia Pacific Regions.

DDoS Attacks

DDoS attacks against DNS Infrastructure that led to a publicly visible service outage:

57%No

25%Yes

18%Do not know

Visibility of DNS Traffic

73%

of Respondents indicated visibility atLayers 3 and 4

43%

of Respondents indicated visibility atLayer 7

Organizational Security

25%

of service providers have a special security group for DNS.

This is disappointing considering the criticality of DNS to these organizations.

Conclusion

The Worldwide Infrastructure Security Report is designed to help network operators understand the breadth of the threats that they face, gain insight into what their peers are doing to address these threats, and comprehend both new and continuing trends. We hope that you fnd the information useful in protecting your business for the coming year.